Since the announcement of the UK Government’s corporate governance reforms, there has been much debate and even more speculation on what management need to do to comply, both in letter and spirit. The latest Financial Reporting Council (FRC) consultation published in May 2023 on the UK Corporate Governance Code, has added to the focus on internal controls effectiveness, Board oversight, assurance and resilience.
There is little doubt that the potential new requirements in relation to ‘internal controls’ has taken centre stage. When the Code is finalised, further guidance is expected to be published alongside it.
But in the meantime, many companies have been considering the “no regrets” uplift to their control environment.
What can you do now?
If you have not performed any work on internal controls before, the earlier you start planning, the better.
We have helped many organisations in internal controls readiness activities as well as delivering formal assurance reports on internal controls. From experience, we know that it takes time and effort to get your internal controls documented, assessed and any issues fixed before you can provide assurance to your internal or external stakeholders.
A first step is to define a formal framework. Many adopt COSO13, but the FRC has been open to the Board defining its own company specific approach. Once you’ve documented your internal control framework (also sometimes referred to as controls matrix, library or inventory), you can then move into formal reviews of your documented internal controls and if relevant, obtain independent assurance over the internal controls. This could be in the form of a periodic report that provides you with a reasonable assurance opinion from an independent assurance provider. Companies which have to implement an audit and assurance policy will have to specifically disclose whether they will obtain external assurance over financial reporting controls.
How does all this work?
...including documentation, assessment of internal control readiness and remediation plan.
Your time to remediate gaps and complete the actions identified during the readiness stage.
Formal assurance review
Assurance (internal/external), either as at a specified date or over a period of time.
It’s important to first identify your principal risk areas and prioritise them. In our view, a sensible place to start is to run a scoping session and a series of workshops with relevant personnel to determine the material areas in scope for the effectiveness statement. This should consider key operational, compliance and reporting risks.
Once the Board has agreed the framework and scope, it’s time to identify and document your key controls that mitigate those principal risks. The key output of a readiness stage is a controls matrix - your documented internal controls with all the necessary information required to assess their design and operating effectiveness. This exercise will provide an indication of whether you have any material weaknesses. It would be the basis of any assurance review and bring to surface the gaps and improvements and the level of effort and resources that are required to remediate these. Below is an example of what a simplified controls matrix may look like. This is only an excerpt from a control framework and therefore will not show a full set of controls required to meet the control objective shown:
|Control area - area within which the activity falls||Control objectives are statements of intent of what an organisation looks to achieve, based on the risks being managed (sometimes also called “criteria”)||Control descriptions are internal control activities that help the organisation manage risks within the relevant business processes||Evidence that you will be required to provide||Actions for remediation phase||Indicative view of whether the control objective is achieved|
|Control area||Control objective||Control ref.||Indicative control||Evidence||Gaps/issues||Control finding||Achievement of control objective|
Authorising and processing transactions
|Investment transactions are authorised, executed and allocated accurately within agreed timescales.||AUP.1||Each fund has a documented Prospectus which defines how the fund operates. On an annual basis, each Prospectus is reviewed by Risk and Compliance. The CEO signs off the annual reviews.||Inspected:
||There is no formal process for documenting the CEO sign off of the annual Prospectus reviews.||Poorly documented controls or deficient controls.||Criteria achieved - improvement areas identified.
|AUP.2||On a weekly basis, the Investment Strategy Committee (ISC) meeting is held to discuss investment strategy, portfolio positioning, and transactions. This is attended by the CIO, Heads of Investment, and Risk and Operations. Actions are documented in the ISC action log and owners allocated. These are then investigated and discussed at the next ISC meeting.||Inspected:
||There is no versioning of the ISC action log spreadsheet, therefore we were unable to evidence that actions had been investigated and discussed at the next ISC meeting.||Poorly documented controls or deficient controls.|
Once you have completed the actions identified during the readiness stage to fix all the issues and gaps, you can look for either internal or external assurance. Internal assurance typically is carried out by a second or third line team. Some companies outsource their internal assurance provision in this area. External assurance is done with the assistance of an independent assurance provider and follows an established standard. There are established standards used for providing assurance over internal controls, e.g. ISAE 3402, which organisations have used for a number of years. These can be a route to assess the effectiveness of your internal controls. Some examples of external assurance are Agreed Upon Procedure reviews, ‘Review and Recommend’ engagements, or limited and reasonable assurance opinion. We will share more details, including the pros and cons of each type of assurance in our upcoming blog.
Controls within the controls matrix need to be written to acceptable standards. The Institute of Chartered Accountants in England and Wales (ICAEW) Technical Release 01/20 AAF requires Control Activity descriptions to be:
- Factual: a true representation of the Control Activity undertaken.
- Objective: avoids the use of subjective words such as adequate, appropriate, should, regular, timely, etc.
- Specific: contains sufficient detail to allow User Organisations to understand the nature, timing and extent of the Control Activity, who is responsible for its performance and what IT, if any, supports it.
- Verifiable: avoids the use of non-verifiable words such as only, always, never, etc. Evidence is retained to demonstrate the performance of the Control Activity and to support testing of the Control Activity by Senior Management and the Service Auditor.
We will also be sharing more via future blogs about how to write good controls. Who should you involve?
It will depend on the scope your Board chooses, and the final Code once published. You will likely need to identify control owners and control operators from personnel involved in the operation of core business and IT processes, as well as organisation wide functions such as risk, compliance and governance. Oversight by a steering group can also provide accountability and responsibility for driving the work around internal controls.